How to Configure Certificate-based

Authentication for the WebUI

Overview:

This article provides the steps to configure certificate-based authentication to the Palo Alto Networks WebUI.
Note: Once this type of authentication is enabled, all username/password logins are disabled for all
administrators. Administrators must be issued certificates in order to login.

Steps:

1. Generate a CA.
-Go to the Device tab -> Certificates -> click Generate -> Ensure CA is checked.

Generated on 2015-07-13-07:00
1
How to Configure Certificate-based Authentication for the WebUI

2. Create the Client Certificate Profile.

-Go to the Device tab -> Client Certificate Profile -> click Add -> Change the Username field to Subject, and the
next field will be common-name. Also, add the CA created in Step 1.

Generated on 2015-07-13-07:00
2
How to Configure Certificate-based Authentication for the WebUI

3. Set Client Certificate Profile for Authentication Settings.

-Go to the Device tab -> Setup -> Click the edit button for the Authentication Settings Window -> Assign the
Client Certificate Profile created in Step 2.

4 Create an Admin with client certificate authentication setting checked.

-Go to the Device tab -> Administrators -> Click Add. Ensure use only client certificate authentication (Web)
is checked.

Generated on 2015-07-13-07:00
3
How to Configure Certificate-based Authentication for the WebUI

5. Create the client certificate for the newly created Administrator.

-Go to the Device tab -> Certificates -> Generate
Ensure that the certificate is signed by the CA created in Step 1.
Verify that the common name field has the Administratorss name created in Step 4.

Generated on 2015-07-13-07:00
4
How to Configure Certificate-based Authentication for the WebUI

6. Export the Administrators Client Cert

-Go to the Device tab -> Setup
In the Certificates section, check the client Certs checkbox.
Click Export.
Verify that the File Format is PKCS12 -> Enter a passphrase.

Generated on 2015-07-13-07:00
5
How to Configure Certificate-based Authentication for the WebUI

7. Commit.
-When committing, youll see the message below:

Generated on 2015-07-13-07:00
6
How to Configure Certificate-based Authentication for the WebUI

8. Import the Administrator's Client Certificate into the browser (Firefox for demo).
-Go to the Firefox options menu.
Click the View Certificates button.
Click the Import button
Point to the Admins Client Cert previously exported.
Enter passphrase.

Generated on 2015-07-13-07:00
7
How to Configure Certificate-based Authentication for the WebUI

9. Go to the Palo Altos WebUI (ensure HTTPS is enabled on the interface).

- Choose the Client Certificate.

Generated on 2015-07-13-07:00
8
How to Configure Certificate-based Authentication for the WebUI

10. This warning will display because the Cert isn't trusted.
-Add the exception.

Generated on 2015-07-13-07:00
9
How to Configure Certificate-based Authentication for the WebUI

11. Click Login.

Generated on 2015-07-13-07:00
10